| Category | Started On | Completed On | Duration | Cuckoo Version |
|---|---|---|---|---|
| FILE | 2014-01-24 13:34:28 | 2014-01-24 13:36:44 | 136 seconds | 1.0 |
File Details
| File name | zeus2.exe |
|---|---|
| File size | 47616 bytes |
| File type | MS-DOS executable |
| CRC32 | 58F93697 |
| MD5 | ebbe29d74e03003ffaaadc4edf11d6da |
| SHA1 | 68b5b85fba79654535cd130027fc873f80c66284 |
| SHA256 | 2eeff130bf652d04638e599f1313b7748d83b54ae91dd9c3414002e0f9e9864c |
| SHA512 | 136c0831a538c22bebb5cf09a2446dfceabefa1b1b2822ead43110d28df5d5d1f731647ed77e0de47f09df1be219f99dab90a53c401a3eb1a75476ca0208f6c2 |
| Ssdeep | 768:Q9SvSmis1Cd5BSAeS1df0FB0Wgo75GpaSoabxN+bsEDYgO0MfxagFEmKO+hUu:a0SPsMHPeid6B0w75GpaS8sdgO0MxEmU |
| PEiD | None matched |
| Yara | None matched |
| VirusTotal | VirusTotal lookup disabled, add your API key to the module |
Signatures
Screenshots
Static Analysis
Dropped Files
Network Analysis
Hosts Involved
| IP Address |
|---|
| X.X.X.X |
Behavior Summary
Files
- C:\WINDOWS\system32\ntos.exe
- C:\WINDOWS\system32\ntdll.dll
- PIPE\lsarpc
Mutexes
- C:\__SYSTEM__91C38905__
- C:\__SYSTEM__64AD0625__
- C:\__SYSTEM__7F4523E5__
Registry Keys
- HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\
Processes
registry filesystem process services network synchronization
zeus2.exe PID: 432, Parent PID: 508
| Timestamp | Thread | Function | Arguments | Status | Return | Repeated |
|---|---|---|---|---|---|---|
| 13:34:29,344 | 920 | VirtualProtectEx |
Protection => 0x00000040 ProcessHandle => 0xffffffff Address => 0x00400000 Size => 0x00001000 |
SUCCESS | 0x00000001 | |
| 13:34:29,344 | 920 | VirtualProtectEx |
Protection => 0x00000040 ProcessHandle => 0xffffffff Address => 0x00401000 Size => 0x0000e38d |
SUCCESS | 0x00000001 | |
| 13:34:29,344 | 920 | VirtualProtectEx |
Protection => 0x00000040 ProcessHandle => 0xffffffff Address => 0x00410000 Size => 0x00001360 |
SUCCESS | 0x00000001 | |
| 13:34:29,344 | 920 | VirtualProtectEx |
Protection => 0x00000040 ProcessHandle => 0xffffffff Address => 0x00412000 Size => 0x00013000 |
SUCCESS | 0x00000001 | |
| 13:34:29,344 | 920 | LdrLoadDll |
Flags => 1243244 BaseAddress => 0x7c800000 FileName => kernel32.dll |
SUCCESS | 0x00000000 | |
| 13:34:29,344 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => GetCommandLineA FunctionAddress => 0x7c812fad ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,344 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => GetLogicalDrives FunctionAddress => 0x7c830b04 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,344 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => GetDriveTypeW FunctionAddress => 0x7c80b360 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,344 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => GetFileSizeEx FunctionAddress => 0x7c810a99 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,344 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => CreateFileMappingW FunctionAddress => 0x7c809420 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,344 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => MapViewOfFile FunctionAddress => 0x7c80b995 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,344 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => UnmapViewOfFile FunctionAddress => 0x7c80ba04 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,344 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => ResetEvent FunctionAddress => 0x7c80a0cb ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,344 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => GetTimeZoneInformation FunctionAddress => 0x7c8350d7 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,344 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => GetVersionExW FunctionAddress => 0x7c80aef5 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,344 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => GetUserDefaultUILanguage FunctionAddress => 0x7c813100 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,344 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => GetProcessHeap FunctionAddress => 0x7c80ac51 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,344 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => GetModuleHandleA FunctionAddress => 0x7c80b731 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,344 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => Sleep FunctionAddress => 0x7c802446 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,344 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => CopyFileW FunctionAddress => 0x7c82f863 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,344 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => GetModuleFileNameW FunctionAddress => 0x7c80b465 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,344 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => GetModuleFileNameA FunctionAddress => 0x7c80b55f ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,344 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => GetLastError FunctionAddress => 0x7c91fe01 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,344 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => CreateMutexW FunctionAddress => 0x7c80e947 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,344 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => OpenMutexW FunctionAddress => 0x7c80ea25 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,344 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => ReleaseMutex FunctionAddress => 0x7c8024b7 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,344 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => lstrcmpiW FunctionAddress => 0x7c80aa26 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,344 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => lstrcmpiA FunctionAddress => 0x7c80bb31 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,344 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => lstrlenW FunctionAddress => 0x7c809a99 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,344 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => lstrlenA FunctionAddress => 0x7c80be46 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,344 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => lstrcpyW FunctionAddress => 0x7c80baf4 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,344 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => lstrcpynW FunctionAddress => 0x7c80ba7f ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,344 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => lstrcpyA FunctionAddress => 0x7c80be91 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,344 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => lstrcatW FunctionAddress => 0x7c810fc2 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,344 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => lstrcatA FunctionAddress => 0x7c834d59 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,344 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => CloseHandle FunctionAddress => 0x7c809bd7 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,344 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => DeleteFileW FunctionAddress => 0x7c831f4b ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,344 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => SetFileAttributesW FunctionAddress => 0x7c8314c5 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,344 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => WaitForSingleObject FunctionAddress => 0x7c802530 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,344 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => SetEvent FunctionAddress => 0x7c80a0a7 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,344 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => CreateFileW FunctionAddress => 0x7c8107f0 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,344 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => CreateEventW FunctionAddress => 0x7c80a739 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,344 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => SetFilePointer FunctionAddress => 0x7c810c1e ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,344 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => HeapAlloc FunctionAddress => 0x7c9200a4 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,344 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => HeapReAlloc FunctionAddress => 0x7c929b80 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,344 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => HeapFree FunctionAddress => 0x7c91ff0d ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,344 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => ConnectNamedPipe FunctionAddress => 0x7c83144b ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,344 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => WaitNamedPipeW FunctionAddress => 0x7c82c65c ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,344 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => SetNamedPipeHandleState FunctionAddress => 0x7c8313dc ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,344 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => CreateNamedPipeW FunctionAddress => 0x7c82f0c5 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,344 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => GetTickCount FunctionAddress => 0x7c80932e ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,344 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => CreateRemoteThread FunctionAddress => 0x7c8104bc ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,344 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => WriteFile FunctionAddress => 0x7c810e17 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,344 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => ReadFile FunctionAddress => 0x7c801812 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,344 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => SetEndOfFile FunctionAddress => 0x7c83205e ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,344 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => GetFileSize FunctionAddress => 0x7c810b07 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,344 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => FlushFileBuffers FunctionAddress => 0x7c8126d1 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,344 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => GetLocalTime FunctionAddress => 0x7c80a864 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,344 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => DisconnectNamedPipe FunctionAddress => 0x7c81272f ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,344 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => WriteProcessMemory FunctionAddress => 0x7c802213 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,354 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => CreateThread FunctionAddress => 0x7c8106c7 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,354 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => CreateToolhelp32Snapshot FunctionAddress => 0x7c865b1f ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,354 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => Process32FirstW FunctionAddress => 0x7c864d3c ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,354 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => Process32NextW FunctionAddress => 0x7c864ec7 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,354 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => Module32FirstW FunctionAddress => 0x7c865187 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,354 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => Module32NextW FunctionAddress => 0x7c865324 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,354 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => Thread32First FunctionAddress => 0x7c86503a ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,354 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => Thread32Next FunctionAddress => 0x7c8650ee ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,354 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => GetExitCodeProcess FunctionAddress => 0x7c81ab3b ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,354 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => OpenProcess FunctionAddress => 0x7c8309d1 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,354 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => VirtualQueryEx FunctionAddress => 0x7c80ba30 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,354 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => VirtualAllocEx FunctionAddress => 0x7c809b02 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,354 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => VirtualProtectEx FunctionAddress => 0x7c801a61 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,354 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => GetCurrentProcessId FunctionAddress => 0x7c8099b0 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,354 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => SetThreadPriority FunctionAddress => 0x7c80c198 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,354 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => GetThreadPriority FunctionAddress => 0x7c80a823 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,354 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => GetCurrentThread FunctionAddress => 0x7c80997b ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,354 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => GetCurrentThreadId FunctionAddress => 0x7c8097b8 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,354 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => CreateProcessW FunctionAddress => 0x7c802336 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,354 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => GetProcessTimes FunctionAddress => 0x7c8352f1 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,354 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => MultiByteToWideChar FunctionAddress => 0x7c809c88 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,354 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => WideCharToMultiByte FunctionAddress => 0x7c80a164 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,354 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => MoveFileExW FunctionAddress => 0x7c835673 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,354 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => CreateDirectoryW FunctionAddress => 0x7c8323ea ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,354 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => GetTempPathW FunctionAddress => 0x7c830779 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,354 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => IsBadReadPtr FunctionAddress => 0x7c809e91 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,354 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => SetLastError FunctionAddress => 0x7c91fe10 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,354 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => ReadProcessMemory FunctionAddress => 0x7c8021d0 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,354 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => InitializeCriticalSection FunctionAddress => 0x7c809f81 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,354 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => EnterCriticalSection FunctionAddress => 0x7c911000 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,354 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => LeaveCriticalSection FunctionAddress => 0x7c9110e0 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,354 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => GetSystemTime FunctionAddress => 0x7c80176f ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,354 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => GetTempFileNameW FunctionAddress => 0x7c8359cf ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,354 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => FindFirstFileW FunctionAddress => 0x7c80ef71 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,354 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => FindNextFileW FunctionAddress => 0x7c80efca ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,354 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => FindClose FunctionAddress => 0x7c80ee67 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,354 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => GetComputerNameW FunctionAddress => 0x7c8316b7 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,354 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => SetFileTime FunctionAddress => 0x7c831ca8 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,354 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => GetFileTime FunctionAddress => 0x7c831c35 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,354 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => GlobalLock FunctionAddress => 0x7c80ffa9 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,354 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => GlobalUnlock FunctionAddress => 0x7c80ff12 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,354 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => ExpandEnvironmentStringsW FunctionAddress => 0x7c8305e6 ModuleHandle => 0x7c800000 |
SUCCESS | 0x00000000 | |
| 13:34:29,354 | 920 | LdrLoadDll |
Flags => 1243244 BaseAddress => 0x7e6a0000 FileName => shell32.dll |
SUCCESS | 0x00000000 | |
| 13:34:29,354 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => SHGetSpecialFolderPathW FunctionAddress => 0x7e6cf778 ModuleHandle => 0x7e6a0000 |
SUCCESS | 0x00000000 | |
| 13:34:29,354 | 920 | LdrLoadDll |
Flags => 1243240 BaseAddress => 0x77f40000 FileName => shlwapi.dll |
SUCCESS | 0x00000000 | |
| 13:34:29,354 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => StrStrW FunctionAddress => 0x77f46e0c ModuleHandle => 0x77f40000 |
SUCCESS | 0x00000000 | |
| 13:34:29,364 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => StrCmpNIA FunctionAddress => 0x77f507a6 ModuleHandle => 0x77f40000 |
SUCCESS | 0x00000000 | |
| 13:34:29,364 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => StrCmpNIW FunctionAddress => 0x77f46f84 ModuleHandle => 0x77f40000 |
SUCCESS | 0x00000000 | |
| 13:34:29,364 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => wvnsprintfW FunctionAddress => 0x77f491f1 ModuleHandle => 0x77f40000 |
SUCCESS | 0x00000000 | |
| 13:34:29,364 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => wvnsprintfA FunctionAddress => 0x77f48002 ModuleHandle => 0x77f40000 |
SUCCESS | 0x00000000 | |
| 13:34:29,364 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => wnsprintfW FunctionAddress => 0x77f493e6 ModuleHandle => 0x77f40000 |
SUCCESS | 0x00000000 | |
| 13:34:29,364 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => wnsprintfA FunctionAddress => 0x77f4827c ModuleHandle => 0x77f40000 |
SUCCESS | 0x00000000 | |
| 13:34:29,364 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => PathCombineW FunctionAddress => 0x77f479c9 ModuleHandle => 0x77f40000 |
SUCCESS | 0x00000000 | |
| 13:34:29,364 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => PathFindFileNameW FunctionAddress => 0x77f47077 ModuleHandle => 0x77f40000 |
SUCCESS | 0x00000000 | |
| 13:34:29,364 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => PathFileExistsW FunctionAddress => 0x77f47d89 ModuleHandle => 0x77f40000 |
SUCCESS | 0x00000000 | |
| 13:34:29,364 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => PathRemoveFileSpecW FunctionAddress => 0x77f47c56 ModuleHandle => 0x77f40000 |
SUCCESS | 0x00000000 | |
| 13:34:29,364 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => PathMatchSpecW FunctionAddress => 0x77f52826 ModuleHandle => 0x77f40000 |
SUCCESS | 0x00000000 | |
| 13:34:29,364 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => SHDeleteKeyA FunctionAddress => 0x77f58511 ModuleHandle => 0x77f40000 |
SUCCESS | 0x00000000 | |
| 13:34:29,364 | 920 | LdrLoadDll |
Flags => 1243240 BaseAddress => 0x76bb0000 FileName => psapi.dll |
SUCCESS | 0x00000000 | |
| 13:34:29,364 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => GetModuleFileNameExW FunctionAddress => 0x76bb176a ModuleHandle => 0x76bb0000 |
SUCCESS | 0x00000000 | |
| 13:34:29,364 | 920 | LdrLoadDll |
Flags => 1243240 BaseAddress => 0x77da0000 FileName => advapi32.dll |
SUCCESS | 0x00000000 | |
| 13:34:29,364 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => GetUserNameW FunctionAddress => 0x77db494d ModuleHandle => 0x77da0000 |
SUCCESS | 0x00000000 | |
| 13:34:29,364 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => LookupPrivilegeValueW FunctionAddress => 0x77dcb8af ModuleHandle => 0x77da0000 |
SUCCESS | 0x00000000 | |
| 13:34:29,364 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => AdjustTokenPrivileges FunctionAddress => 0x77daeffc ModuleHandle => 0x77da0000 |
SUCCESS | 0x00000000 | |
| 13:34:29,364 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => OpenProcessToken FunctionAddress => 0x77da797b ModuleHandle => 0x77da0000 |
SUCCESS | 0x00000000 | |
| 13:34:29,364 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => GetTokenInformation FunctionAddress => 0x77da72f5 ModuleHandle => 0x77da0000 |
SUCCESS | 0x00000000 | |
| 13:34:29,364 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => LookupAccountSidW FunctionAddress => 0x77db56e7 ModuleHandle => 0x77da0000 |
SUCCESS | 0x00000000 | |
| 13:34:29,364 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => RegQueryValueExW FunctionAddress => 0x77da6fef ModuleHandle => 0x77da0000 |
SUCCESS | 0x00000000 | |
| 13:34:29,364 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => RegCreateKeyExW FunctionAddress => 0x77da775c ModuleHandle => 0x77da0000 |
SUCCESS | 0x00000000 | |
| 13:34:29,364 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => RegOpenKeyExW FunctionAddress => 0x77da6a9f ModuleHandle => 0x77da0000 |
SUCCESS | 0x00000000 | |
| 13:34:29,364 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => RegCloseKey FunctionAddress => 0x77da6c17 ModuleHandle => 0x77da0000 |
SUCCESS | 0x00000000 | |
| 13:34:29,364 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => RegSetValueExW FunctionAddress => 0x77dad757 ModuleHandle => 0x77da0000 |
SUCCESS | 0x00000000 | |
| 13:34:29,364 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => RegDeleteValueW FunctionAddress => 0x77daede1 ModuleHandle => 0x77da0000 |
SUCCESS | 0x00000000 | |
| 13:34:29,364 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => RegEnumKeyExW FunctionAddress => 0x77da7bc9 ModuleHandle => 0x77da0000 |
SUCCESS | 0x00000000 | |
| 13:34:29,364 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => InitializeSecurityDescriptor FunctionAddress => 0x77da79b6 ModuleHandle => 0x77da0000 |
SUCCESS | 0x00000000 | |
| 13:34:29,364 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => SetSecurityDescriptorDacl FunctionAddress => 0x77da79db ModuleHandle => 0x77da0000 |
SUCCESS | 0x00000000 | |
| 13:34:29,364 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => CreateProcessAsUserW FunctionAddress => 0x77dba889 ModuleHandle => 0x77da0000 |
SUCCESS | 0x00000000 | |
| 13:34:29,364 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => DuplicateTokenEx FunctionAddress => 0x77da818e ModuleHandle => 0x77da0000 |
SUCCESS | 0x00000000 | |
| 13:34:29,364 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => CryptAcquireContextW FunctionAddress => 0x77db7f79 ModuleHandle => 0x77da0000 |
SUCCESS | 0x00000000 | |
| 13:34:29,364 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => CryptCreateHash FunctionAddress => 0x77db9c51 ModuleHandle => 0x77da0000 |
SUCCESS | 0x00000000 | |
| 13:34:29,364 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => CryptHashData FunctionAddress => 0x77db9a7e ModuleHandle => 0x77da0000 |
SUCCESS | 0x00000000 | |
| 13:34:29,364 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => CryptGetHashParam FunctionAddress => 0x77db9d94 ModuleHandle => 0x77da0000 |
SUCCESS | 0x00000000 | |
| 13:34:29,364 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => CryptDestroyHash FunctionAddress => 0x77db9bac ModuleHandle => 0x77da0000 |
SUCCESS | 0x00000000 | |
| 13:34:29,364 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => CryptReleaseContext FunctionAddress => 0x77db7ece ModuleHandle => 0x77da0000 |
SUCCESS | 0x00000000 | |
| 13:34:29,364 | 920 | LdrLoadDll |
Flags => 1243240 BaseAddress => 0x774b0000 FileName => ole32.dll |
SUCCESS | 0x00000000 | |
| 13:34:29,364 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => CoCreateInstance FunctionAddress => 0x774d057e ModuleHandle => 0x774b0000 |
SUCCESS | 0x00000000 | |
| 13:34:29,364 | 920 | LookupPrivilegeValueW |
SystemName => PrivilegeName => SeDebugPrivilege |
SUCCESS | 0x00000001 | |
| 13:34:29,364 | 920 | LdrLoadDll |
Flags => 1243236 BaseAddress => 0x77fc0000 FileName => Secur32.dll |
SUCCESS | 0x00000000 | |
| 13:34:29,364 | 920 | LdrGetProcedureAddress |
Ordinal => 0 FunctionName => GetUserNameExW FunctionAddress => 0x77fc1c70 ModuleHandle => 0x77fc0000 |
SUCCESS | 0x00000000 | |
| 13:34:29,364 | 920 | VirtualProtectEx |
Protection => 0x00000004 ProcessHandle => 0xffffffff Address => 0x00400000 Size => 0x00000138 |
SUCCESS | 0x00000001 | |
| 13:34:29,364 | 920 | NtCreateMutant |
Handle => 0x00000090 InitialOwner => 1 MutexName => C:\__SYSTEM__91C38905__ |
SUCCESS | 0x00000000 | |
| 13:34:29,364 | 920 | NtCreateSection |
ObjectAttributes => DesiredAccess => 0x000f0007 SectionHandle => 0x0000008c FileHandle => 0x00000000 |
SUCCESS | 0x00000000 | |
| 13:34:29,364 | 920 | ZwMapViewOfSection |
SectionOffset => 0x0012f8b0 SectionHandle => 0x0000008c ProcessHandle => 0xffffffff BaseAddress => 0x00920000 |
SUCCESS | 0x00000000 | |
| 13:34:29,364 | 920 | ZwMapViewOfSection |
SectionOffset => 0x0012f8c8 SectionHandle => 0x0000008c ProcessHandle => 0xffffffff BaseAddress => 0x00920000 |
SUCCESS | 0x00000000 | |
| 13:34:29,364 | 920 | NtFreeVirtualMemory |
FreeType => 0x00008000 ProcessHandle => 0xffffffff RegionSize => 0x00010000 BaseAddress => 0x00910000 |
SUCCESS | 0x00000000 | |
| 13:34:29,364 | 920 | ZwMapViewOfSection |
SectionOffset => 0x0012f900 SectionHandle => 0x0000008c ProcessHandle => 0xffffffff BaseAddress => 0x00910000 |
SUCCESS | 0x00000000 | 23 times |
| 13:34:29,394 | 920 | NtOpenMutant |
Handle => 0x00000000 MutexName => C:\__SYSTEM__64AD0625__ |
FAILURE | 0xc0000034 | |
| 13:34:29,394 | 920 | RegCreateKeyExW |
Handle => 0x00000094 Access => 3 Registry => 0x80000002 Class => SubKey => software\microsoft\windows nt\currentversion\winlogon |
SUCCESS | 0x00000000 | |
| 13:34:29,394 | 920 | RegQueryValueExW |
Handle => 0x00000094 DataLength => 68 ValueName => userinit Type => 1 |
SUCCESS | 0x00000000 | |
| 13:34:29,394 | 920 | RegQueryValueExW |
Handle => 0x00000094 Data => C\x00:\x00\\x00W\x00I\x00N\x00D\x00O\x00W\x00S\x00\\x00s\x00y\x00s\x00t\x00e\x00m\x003\x002\x00\\x00u\x00s\x00e\x00r\x00i\x00n\x00i\x00t\x00.\x00e\x00x\x00e\x00,\x00\x00\x00 ValueName => userinit |
SUCCESS | 0x00000000 | |
| 13:34:29,394 | 920 | RegSetValueExW |
Handle => 0x00000094 Buffer => C\x00:\x00\\x00W\x00I\x00N\x00D\x00O\x00W\x00S\x00\\x00s\x00y\x00s\x00t\x00e\x00m\x003\x002\x00\\x00u\x00s\x00e\x00r\x00i\x00n\x00i\x00t\x00.\x00e\x00x\x00e\x00,\x00C\x00:\x00\\x00W\x00I\x00N\x00D\x00O\x00W\x00S\x00\\x00s\x00y\x00s\x00t\x00e\x00m\x003\x002\x00\\x00n\x00t\x00o\x00s\x00.\x00e\x00x\x00e\x00,\x00\x00\x00 ValueName => userinit Type => 1 |
SUCCESS | 0x00000000 | |
| 13:34:29,394 | 920 | RegCloseKey |
Handle => 0x00000094 |
SUCCESS | 0x00000000 | |
| 13:34:29,394 | 920 | NtOpenFile |
ShareAccess => 7 FileName => C:\WINDOWS\system32\ntos.exe DesiredAccess => 0x00100100 FileHandle => 0x00000000 |
FAILURE | 0xc0000034 | |
| 13:34:29,404 | 920 | DeleteFileW |
FileName => C:\WINDOWS\system32\ntos.exe |
FAILURE | 0x00000000 | |
| 13:34:29,404 | 920 | CopyFileW |
ExistingFileName => C:\DOCUME~1\jmotos\CONFIG~1\Temp\zeus2.exe NewFileName => C:\WINDOWS\system32\ntos.exe |
SUCCESS | 0x00000001 | |
| 13:34:29,404 | 920 | NtOpenFile |
ShareAccess => 7 FileName => C:\WINDOWS\system32\ntos.exe DesiredAccess => 0x00100100 FileHandle => 0x00000098 |
SUCCESS | 0x00000000 | |
| 13:34:29,404 | 920 | NtSetInformationFile |
FileHandle => 0x00000098 FileInformation => |
SUCCESS | 0x00000000 | |
| 13:34:29,404 | 920 | NtCreateFile |
ShareAccess => 1 FileName => C:\WINDOWS\system32\ntos.exe DesiredAccess => 0x40100080 CreateDisposition => 1 FileHandle => 0x00000098 |
SUCCESS | 0x00000000 | |
| 13:34:29,404 | 920 | NtQueryInformationFile |
FileHandle => 0x00000098 FileInformation => \x00\xc0\x00\x00\x00\x00\x00\x00\x00\xba\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 13:34:29,404 | 920 | NtSetInformationFile |
FileHandle => 0x00000098 FileInformation => |
SUCCESS | 0x00000000 | |
| 13:34:29,434 | 920 | NtWriteFile |
Buffer => J\x08,\x90.\x1c\x14HB(\x02lb\xd84\x18\x04\x91D\x0c8^>\x04\x048w<\xaf4\x8c.\xe0\x0eh\xc8\\x00R\x19Z\x062\x0e\x06\xb4g\x104\x05(\x04p"D\x14\x06\x01\xcf\x07vp:z\x04\x82J\x1c
\x1a{t\x19zsD#r\x8f2
\x0f\x07,\x08
N\xa7Rk@\x0c&\x93\x05\x07C/\xc8>*\x1eL\x1f.0\\xa7 \x04\x01\x04nBj\x053\x16\xc2\x04Jx2\x040\x02J\x94\x9e\x02\x02\x04\xaf<Z\x14\x0e3\x14\x9e=7P\xae\xbe\x82\x1dj\x01\x02NbJ\x01\x1e&\x12\x10\x0fT\x1e\x10\x00L\x0c\x0bT\x0cr X\x10U\x08\x01\x00,\x00\x9c02\xe8\x12+\x03\x18\x12>\x06\x0f4\x16\xa2L\x06\x00\x06\xab\x06\x8a\xb6&\x00\x8cv\x0e&\x04\xaa\x11\x1a\x06\x16\x01\x81\x0e:\x10r2\x12\x00\x0e\x9c $C\x0c>\x04R\x06\x1a`
\xaeG\x84\xd9\x05z\x08dsh\x14M\xbcZ\x0c\x06\x80L6 \xbf FileHandle => 0x00000098 |
SUCCESS | 0x00000000 | |
| 13:34:29,464 | 920 | NtFreeVirtualMemory |
FreeType => 0x00004000 ProcessHandle => 0xffffffff RegionSize => 0x00014000 BaseAddress => 0x0015e000 |
SUCCESS | 0x00000000 | |
| 13:34:29,464 | 920 | NtCreateFile |
ShareAccess => 3 FileName => C:\WINDOWS\system32\ntdll.dll DesiredAccess => 0x80100080 CreateDisposition => 1 FileHandle => 0x00000094 |
SUCCESS | 0x00000000 | |
| 13:34:29,464 | 920 | NtQueryInformationFile |
FileHandle => 0x00000094 FileInformation => \x00\xa0\xa1\x10'\x9e\xc8\x01\xe0NN\xa5\x00\x19\xcf\x01\x00\xa0\xa1\x10'\x9e\xc8\x01\x00j,>x\x13\xcf\x01 \x00\x00\x00\x00\x00\x00\x00 |
SUCCESS | 0x00000000 | |
| 13:34:29,464 | 920 | NtSetInformationFile |
FileHandle => 0x00000098 FileInformation => |
SUCCESS | 0x00000000 | |
| 13:34:29,464 | 920 | NtOpenFile |
ShareAccess => 7 FileName => C:\WINDOWS\system32\ntos.exe DesiredAccess => 0x00100100 FileHandle => 0x00000098 |
SUCCESS | 0x00000000 | |
| 13:34:29,464 | 920 | NtSetInformationFile |
FileHandle => 0x00000098 FileInformation => |
SUCCESS | 0x00000000 | |
| 13:34:29,464 | 920 | NtCreateSection |
ObjectAttributes => DesiredAccess => 0x000f0007 SectionHandle => 0x00000098 FileHandle => 0x00000000 |
SUCCESS | 0x00000000 | |
| 13:34:29,464 | 920 | ZwMapViewOfSection |
SectionOffset => 0x0012ee80 SectionHandle => 0x00000098 ProcessHandle => 0xffffffff BaseAddress => 0x00920000 |
SUCCESS | 0x00000000 | |
| 13:34:29,474 | 920 | ZwMapViewOfSection |
SectionOffset => 0x0012ee98 SectionHandle => 0x00000098 ProcessHandle => 0xffffffff BaseAddress => 0x00920000 |
SUCCESS | 0x00000000 | |
| 13:34:29,474 | 920 | NtFreeVirtualMemory |
FreeType => 0x00008000 ProcessHandle => 0xffffffff RegionSize => 0x00010000 BaseAddress => 0x00910000 |
SUCCESS | 0x00000000 | |
| 13:34:29,474 | 920 | ZwMapViewOfSection |
SectionOffset => 0x0012eecc SectionHandle => 0x00000098 ProcessHandle => 0xffffffff BaseAddress => 0x00910000 |
SUCCESS | 0x00000000 | |
| 13:34:29,474 | 920 | ZwMapViewOfSection |
SectionOffset => 0x0012eed0 SectionHandle => 0x00000098 ProcessHandle => 0xffffffff BaseAddress => 0x00910000 |
SUCCESS | 0x00000000 | 3 times |
| 13:34:29,474 | 920 | ReadProcessMemory |
Buffer => \x00\x00\x00\x01 ProcessHandle => 0x00000094 BaseAddress => 0x7ffdf008 |
SUCCESS | 0x00000001 | |
| 13:34:29,474 | 920 | ReadProcessMemory |
Buffer => \x90\x1e\x17\x00 ProcessHandle => 0x00000094 BaseAddress => 0x7ffdf00c |
SUCCESS | 0x00000001 | |
| 13:34:29,474 | 920 | ReadProcessMemory |
Buffer => \xc8\x1e\x17\x00 ProcessHandle => 0x00000094 BaseAddress => 0x00171ea4 |
SUCCESS | 0x00000001 | |
| 13:34:29,474 | 920 | ReadProcessMemory |
Buffer => \x18\x1f\x17\x00\x9c\x1e\x17\x00 \x1f\x17\x00\xa4\x1e\x17\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\xe1\xe5\x03\x01\x00\x10\x08\x00H\x00J\x004\x05\x02\x00\x18\x00\x1a\x00d\x05\x02\x00\x00P\x00\x00\xff\xff\x00\x00T+\x17\x00\x10\xb3\x98|Iu\x02H\x00\x00\x00\x00\x00\x00\x00\x00 ProcessHandle => 0x00000094 BaseAddress => 0x00171ec0 |
SUCCESS | 0x00000001 | |
| 13:34:29,474 | 920 | ReadProcessMemory |
Buffer => \\x00?\x00?\x00\\x00C\x00:\x00\\x00W\x00I\x00N\x00D\x00O\x00W\x00S\x00\\x00s\x00y\x00s\x00t\x00e\x00m\x003\x002\x00\\x00w\x00i\x00n\x00l\x00o\x00g\x00o\x00n\x00.\x00e\x00x\x00e\x00\x00\x00 ProcessHandle => 0x00000094 BaseAddress => 0x00020534 |
SUCCESS | 0x00000001 | |
| 13:34:29,474 | 920 | NtCreateFile |
ShareAccess => 3 FileName => PIPE\lsarpc DesiredAccess => 0xc0100080 CreateDisposition => 1 FileHandle => 0x000000a4 |
SUCCESS | 0x00000000 | |
| 13:34:29,484 | 920 | NtSetInformationFile |
FileHandle => 0x000000a4 FileInformation => |
SUCCESS | 0x00000000 | 1 time |
| 13:34:29,484 | 920 | NtWriteFile |
Buffer => \x05\x00\x0b\x03\x10\x00\x00\x00H\x00\x00\x00\x01\x00\x00\x00\xb8\x10\xb8\x10\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x01\x00xW4\x124\x12\xcd\xab\xef\x00\x01#Eg\x89\xab\x00\x00\x00\x00\x04]\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00+\x10H`\x02\x00\x00\x00 FileHandle => 0x000000a4 |
SUCCESS | 0x00000000 | |
| 13:34:29,484 | 920 | NtReadFile |
Buffer => \x05\x00\x0c\x03\x10\x00\x00\x00D\x00\x00\x00\x01\x00\x00\x00\xb8\x10\xb8\x10\x89\x14\x00\x00\x0c\x00\PIPE\lsass\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x04]\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00+\x10H`\x02\x00\x00\x00 FileHandle => 0x000000a4 |
SUCCESS | 0x00000000 | |
| 13:34:29,484 | 920 | WriteProcessMemory |
Buffer => MZ\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xb8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x008\x01\x00\x00\x05\x06\x00\x01o034\xb5\x00\x00\x00\x00.\x93\x02\x00\x97I\x01\x80\xee6\x00\xc0eR\x00@w\x1b\x00\xa0\xbb
\x00"\x00\x1c\x00\x00\x04\x00\x00^}f}(@\x19L\x1dG\x14O\x0fO\x0bX W\x03b\xfe`\xf8\x98\xf5\xa8\xf1\xa0$\xa8\xe8\xa7\x1f\xb7^}f}(@\x19L\x1dG\x14O\x0fO\x0bX W\x03b\xfe`3\xa5\xf4\xa9*\xadp\x9f\x12\xb9\xc4\xa3\x06\xddX\xe7:A,k\xae\xe5@/b\xc9\x943V\xed(w\x8aQ\xfc\xfb\xfe\xf5\x10\xbf\xb2\xd9d\xc3\xa6\xfd\xf8\x07\xdaa\xcc\x8bN\x05\xe0O\x02\xe94S\xf6
\xc8\x97*q\x9c\x1b\x9e\x15\xb0\xdfR\xf9\x04\xe3F\x1d\x98'z\x81l\xab\xee%\x80o\xa2 \xd4s ProcessHandle => 0x00000098 BaseAddress => 0x01310000 |
SUCCESS | 0x00000001 | |
| 13:34:29,484 | 920 | VirtualProtectEx |
Protection => 0x00000002 ProcessHandle => 0x00000098 Address => 0x01310000 Size => 0x00000400 |
SUCCESS | 0x00000001 | |
| 13:34:29,484 | 920 | WriteProcessMemory |
Buffer => r\x00o\x00o\x00t\x00\x00\x00\x00\x00.\x00t\x00x\x00t\x00\x00\x00\x00\x00g\x00r\x00b\x00\x00\x00\x00\xd3\x11\xfa\xca\xde\x99\x04\x0f\xff\xaa\x11\xab\xcd\xef\x12\x00\x00\x00\x00*\x00\x00\x00%s=%s
\x00\x00
Path: %s
\x00\x00c\x00o\x00o\x00k\x00i\x00e\x00:\x00\x00\x00*\x00.\x00s\x00o\x00l\x00\x00\x00M\x00a\x00c\x00r\x00o\x00m\x00e\x00d\x00i\x00a\x00\\x00F\x00l\x00a\x00s\x00h\x00 \x00P\x00l\x00a\x00y\x00e\x00r\x00\x00\x00
IE Cookies:
\x00\x00\x00pstorec.dll\x00PStoreCreateInstance\x00\x00\x00\x00\x0b\xa9\xb6\xbb\xb0\xb2olf\x9a\xa0\x9e\x00\x00\x00\x00
\xbb\xb7\xa7\xb2qnh\x9c\xa2\xa0\x00\x0b\xbd\xad\xb0\xa9\xac\xa1\xaef\x9a\xa0\x9e\x00\x00\x00\x00
\xbd\xb7t\x9fqnh ProcessHandle => 0x00000098 BaseAddress => 0x01311000 |
SUCCESS | 0x00000001 | |
| 13:34:29,484 | 920 | VirtualProtectEx |
Protection => 0x00000040 ProcessHandle => 0x00000098 Address => 0x01311000 Size => 0x0000e38d |
SUCCESS | 0x00000001 | |
| 13:34:29,484 | 920 | WriteProcessMemory |
Buffer => \x00\x00\x00\x00\xe4\x121\x01\x8dL1\x01T\x0c2\x01\x00\x00\x00\x00\x00\x00\x00\x00\xd8\x121\x01\xfeL1\x01`\x0c2\x01\x00\x00\x00\x00\x00\x00\x00\x00\xc0\x121\x01\xc0L1\x01h\x0c2\x01\x00\x00\x00\x00\x00\x00\x00\x00\xa8\x121\x01lM1\x01\\x0c2\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x94\x121\x01\xfb\xec1\x01\x88\x0b2\x01\x00\x00\x00\x00\x00\x00\x00\x00\x80\x121\x01\x1b\xed1\x01p\x0b2\x01\x00\x00\x00\x00\x00\x00\x00\x00l\x121\x01\xe3\xed1\x01\x8c\x0b2\x01\x00\x00\x00\x00\x00\x00\x00\x00X\x121\x01\x00\xee1\x01\x90\x0b2\x01\x00\x00\x00\x00\x00\x00\x00\x00D\x121\x01%\xe71\x01t\x0b2\x01\x00\x00\x00\x00\x00\x00\x00\x00,\x121\x01E\xe71\x01\xa0\x0b2\x01\x00\x00\x00\x00\x00\x00\x00\x00\x14\x121\x01f\xe71\x01\xa4\x0b2\x01\x00\x00\x00\x00\x00\x00\x00\x00\xf8\x111\x01\x87\xe71\x01 ProcessHandle => 0x00000098 BaseAddress => 0x01320000 |
SUCCESS | 0x00000001 | |
| 13:34:29,484 | 920 | VirtualProtectEx |
Protection => 0x00000040 ProcessHandle => 0x00000098 Address => 0x01320000 Size => 0x00001360 |
SUCCESS | 0x00000001 | |
| 13:34:29,484 | 920 | WriteProcessMemory |
Buffer => \x00 \x00\x00h\x02\x00\x00@;D;H;L;P;T;X;\;`;d;h;l;p;t;x;|;\x80;\x84;\x88;\x8c;\x90;\x94;\x98;\x9c;\xa0;\xa4;\xa8;\xac;\xb0;\xb4;\xb8;\xbc;\xc0;\xc4;\xc8;\xcc;\xd0;\xd4;\xd8;\xdc;\xe0;\xe4;\xe8;\xec;\xf0;\xf4;\xf8;\xfc;\x00<\x04<\x08<\x0c<\x10<\x14<\x18<\x1c< <$<(<,<0<4<8<<<@<D<H<L<P<T<X<\<`<d<h<l<p<t<x<|<\x80<\x84<\x88<\x8c<\x90<\x94<\x98<\x9c<\xa0<\xa4<\xa8<\xac<\xb0<\xb4<\xb8<\xbc<\xc0<\xc4<\xc8<\xcc<\xd0<\xd4<\xd8<\xdc<\xe0<\xe4<\xe8<\xec<\xf0<\xf4<\xf8<\xfc<\x00=\x04=\x08=\x0c=\x10=\x14=\x18=\x1c= =$=(=,= ProcessHandle => 0x00000098 BaseAddress => 0x01322000 |
SUCCESS | 0x00000001 | |
| 13:34:29,484 | 920 | VirtualProtectEx |
Protection => 0x00000040 ProcessHandle => 0x00000098 Address => 0x01322000 Size => 0x00013000 |
SUCCESS | 0x00000001 | |
| 13:34:29,484 | 920 | NtFreeVirtualMemory |
FreeType => 0x00004000 ProcessHandle => 0xffffffff RegionSize => 0x00026000 BaseAddress => 0x0015e000 |
SUCCESS | 0x00000000 | |
| 13:34:29,494 | 920 | CreateRemoteThread |
Parameter => 0x00000000 ProcessHandle => 0x00000098 ThreadId => 596 StartRoutine => 0x01315aab CreationFlags => 0 |
SUCCESS | 0x00000094 | |
| 13:34:29,494 | 920 | NtOpenMutant |
Handle => 0x00000000 MutexName => C:\__SYSTEM__7F4523E5__ |
FAILURE | 0xc0000034 | |
| 13:34:29,494 | 920 | NtDelayExecution |
Milliseconds => 20 |
SUCCESS | 0x00000000 | |
| 13:34:29,514 | 920 | NtOpenMutant |
Handle => 0xffffffff MutexName => C:\__SYSTEM__7F4523E5__ |
FAILURE | 0xc0000034 | |
| 13:34:29,514 | 920 | NtDelayExecution |
Milliseconds => 20 |
SUCCESS | 0x00000000 | |
| 13:34:29,534 | 920 | NtOpenMutant |
Handle => 0xffffffff MutexName => C:\__SYSTEM__7F4523E5__ |
FAILURE | 0xc0000034 | |
| 13:34:29,534 | 920 | NtDelayExecution |
Milliseconds => 20 |
SUCCESS | 0x00000000 | |
| 13:34:29,554 | 920 | NtOpenMutant |
Handle => 0x00000098 MutexName => C:\__SYSTEM__7F4523E5__ |
SUCCESS | 0x00000000 | |
| 13:34:29,554 | 920 | ExitProcess |
ExitCode => 0 |
SUCCESS | 0x00000000 |